[aws-events-targets] Add flag for Auto-assign public IP to EcsTask

[ryanvade]

With ECS tasks I ran into an issue where ECS is unable to pull images from ECR even though the task is set to run in a PUBLIC subnet. In the console it appears that it is possible to set the Auto-assign public IP for an Event target.

Use Case

I have a cloudwatch event that is set to run every week that fires an ECS task. The ECS task needs to be able to pull the ECR image and communicate with external resources and therefore needs a public IP address.

My current event and target:

    const encryptionEventRule = new Rule(this, `${this.projectTag}-encryption-event-rule`, {
      schedule: Schedule.expression("rate(7 days)"),
    });

    encryptionEventRule.addTarget(
      new EcsTask({
        cluster,
        taskDefinition: encryptionTaskDefinition,
        taskCount: 1,
        subnetSelection: VPC.selectSubnets({
          subnetType: SubnetType.PUBLIC,
        }),
      })
    );

Proposed Solution

Just like ECS services I believe a flag for the Auto-assign public IP can be added

In an ECS Service

    const service = new FargateService(this, SERVICE_NAME, {
      serviceName: SERVICE_NAME,
      taskDefinition: taskDefinition,
      cluster: cluster,
      desiredCount: SERVICE_DESIRED_CONTAINER_COUNT,
      assignPublicIp: SERVICE_ASSIGN_PUBLIC_IP,
      securityGroup: serviceSecurityGroup,
      vpcSubnets: VPC.selectSubnets({
        subnetType: SubnetType.PUBLIC,
      }),
    });

My proposal for an ECS Task event target:

    encryptionEventRule.addTarget(
      new EcsTask({
        cluster,
        taskDefinition: encryptionTaskDefinition,
        taskCount: 1,
        assignPublicIp: SERVICE_ASSIGN_PUBLIC_IP,
        subnetSelection: VPC.selectSubnets({
          subnetType: SubnetType.PUBLIC,
        }),
      })
    );

Other

The CloudWatch console allows for setting the Auto-assign public IP value when creating an Event Rule that triggers ECS tasks as described here.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[rix0rrr]

What I want to know is why ECS doesn't honor the subnet default of "assign public IP", which should be true for public subnets.

But yes, sounds good.

[shaftoe]

What I want to know is why ECS doesn't honor the subnet default of "assign public IP", which should be true for public subnets.

But yes, sounds good.

Yeah, good question, probably it was chosen as default for security reasons? It's definitely counter intuitive and took me quite some time to troubleshoot.

Also, fun fact: when you run a new ECS Task from the console and select Fargate as launch type, Auto-assign public IP is set to ENABLED by default.